Cybercriminals Exploit VMware ESXi Vulnerabilities Using Zero-Day Toolset

Hypervisor security has long been a blind spot for many enterprises, yet the ESXi platform powers a substantial portion of private‑cloud workloads worldwide. The discovery of a zero‑day toolkit that remained active for over a year underscores how threat actors can silently harvest valuable compute resources by targeting the virtualization layer. By chaining a VPN compromise with multiple high‑severity CVEs, attackers achieve full control of the host kernel, effectively turning every virtual machine into a foothold for further intrusion.

MAESTRO’s methodology is technically sophisticated: it disables VMware’s VMCI drivers, employs the Kernel Driver Utility (KDU) to sidestep driver signature enforcement, and injects unsigned drivers directly into kernel memory. The exploitation of CVE‑2025‑22224 (a TOCTOU flaw) provides arbitrary code execution, while CVE‑2025‑22225 enables arbitrary writes that facilitate VM escape. The final payload, VSOCKpuppet, communicates over VMware’s virtual socket interface, a channel rarely inspected by conventional IDS/IPS solutions, making detection exceptionally challenging for security teams relying on network‑centric monitoring.

For defenders, the immediate priority is patching all supported ESXi versions, especially those still receiving security updates. Organizations should also implement host‑based monitoring for anomalous VSOCK processes and enforce strict firewall segmentation to limit VPN exposure. The broader implication is a reminder that supply‑chain‑level vulnerabilities in virtualization software can have cascading effects across entire ecosystems, prompting a shift toward deeper visibility and zero‑trust controls at the hypervisor tier.